CVE-2024-5784
📋 TL;DR
The Tutor LMS Pro WordPress plugin has a missing capability check vulnerability that allows authenticated users with subscriber-level access or higher to perform administrative actions. This includes deleting comments, posts, or users, and viewing notifications. All WordPress sites using Tutor LMS Pro up to version 2.7.2 are affected.
💻 Affected Systems
- Tutor LMS Pro WordPress plugin
📦 What is this software?
Tutor Lms by Themeum
⚠️ Risk & Real-World Impact
Worst Case
An attacker could delete all content, users, or take full administrative control of the WordPress site, leading to complete site compromise and data loss.
Likely Case
Malicious users could delete important content, disrupt site operations, or escalate privileges to gain administrative access.
If Mitigated
With proper access controls and monitoring, impact would be limited to isolated content manipulation that can be detected and rolled back.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability is in specific functions like treport_quiz_atttempt_delete and tutor_gc_class_action.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.7.3 or later
Vendor Advisory: https://tutorlms.com/releases/id/299/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Tutor LMS Pro and click 'Update Now'. 4. Verify update to version 2.7.3 or higher.
🔧 Temporary Workarounds
Disable vulnerable functions via code
allAdd capability checks to vulnerable functions or disable them temporarily
Add capability checks to treport_quiz_atttempt_delete and tutor_gc_class_action functions in plugin code
Restrict user roles
allTemporarily limit user registration and review existing user permissions
Use WordPress user management to review and restrict subscriber-level access
🧯 If You Can't Patch
- Disable the Tutor LMS Pro plugin until patched
- Implement strict monitoring of administrative actions and user activity logs
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Tutor LMS Pro version. If version is 2.7.2 or lower, you are vulnerable.Check Version:
wp plugin list --name=tutor-lms-pro --field=versionVerify Fix Applied:
After updating, verify version shows 2.7.3 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unauthorized administrative actions by non-admin users
- Multiple delete operations from subscriber accounts
- Unexpected privilege escalation events
Network Indicators:
- HTTP POST requests to vulnerable plugin endpoints from non-admin users
SIEM Query:
source="wordpress" AND (event="delete_post" OR event="delete_user" OR event="delete_comment") AND user_role="subscriber"